The behavior of the actors was reportedly identical to what was described by Minerva Labs in 2021
Daily Archives: September 30, 2022
Enterprises embrace devsecops practices against supply chain attacks
For enterprise security professionals alarmed about the rising number of supply chain attacks, a report released this week by Google and supply chain security firm Chainguard has good news: Devsecops best practices are becoming more and more common.
The recent prevalence of supply chain attacks—most notably the SolarWinds attack, which affected numerous large companies in 2021—has brought the topic into prominence. The Google-Chainguard report, though, found that many supply chain security practices recommended by the major frameworks are already in place among software developers, based on an ongoing “snowball” survey of 33,000 such developers over the past eight years.
Lazarus-Associated Hackers Weaponize Open-Source Tools Against Several Countries
The advisory suggests Zinc has targeted media, defense and aerospace, and IT services
Watchfinder warns customers that hackers stole their data
Luxury pre-owned watch website Watchfinder has warned its user base that their personal data has been accessed after an employee’s account was broken into and a customer list accessed.
Microsoft Confirms Two Exchange Zero-Day Vulnerabilities
The vulnerabilities were first discovered by Vietnamese cybersecurity firm GTSC
Security Vulnerabilities in Covert CIA Websites
Back in 2018, we learned that covert system of websites that the CIA used for communications was compromised by—at least—China and Iran, and that the blunder caused a bunch of arrests, imprisonments, and executions. We’re now learning that the CIA is still “using an irresponsibly secured system for asset communication.”
Citizen Lab did the research:
Using only a single website, as well as publicly available material such as historical internet scanning results and the Internet Archive’s Wayback Machine, we identified a network of 885 websites and have high confidence that the United States (US) Central Intelligence Agency (CIA) used these sites for covert communication.
The websites included similar Java, JavaScript, Adobe Flash, and CGI artifacts that implemented or apparently loaded covert communications apps. In addition, blocks of sequential IP addresses registered to apparently fictitious US companies were used to host some of the websites. All of these flaws would have facilitated discovery by hostile parties.
[…]
The bulk of the websites that we discovered were active at various periods between 2004 and 2013. We do not believe that the CIA has recently used this communications infrastructure. Nevertheless, a subset of the websites are linked to individuals who may be former and possibly still active intelligence community employees or assets:
Several are currently abroad
Another left mainland China in the timeframe of the Chinese crackdown
Another was subsequently employed by the US State Department
Another now works at a foreign intelligence contractor
Citizen Lab is not publishing details, of course.
When I was a kid, I thought a lot about being a spy. And this, right here, was the one thing I worried about. It didn’t matter how clever and resourceful I was. If my handlers were incompetent, I was dead.
Another news article.
CVE-2022-41040 and CVE-2022-41082: ProxyShell Variant Exploited in the Wild
Microsoft has confirmed reports of two zero-day vulnerabilities in Microsoft Exchange Server that have been exploited in the wild. Patches are not yet available.
Background
On September 28, GTSC Cybersecurity Technology Company Limited published a blog post (English translation published later) regarding their discovery of two zero-day vulnerabilities in Microsoft Exchange Server. According to GTSC, its Security Operations Center team discovered the exploitation in August 2022 during its “security monitoring & incident response services.”
GTSC reported these vulnerabilities through Trend Micro’s Zero Day Initiative (ZDI) but, seeing more evidence of exploitation against other targets, decided to publish information about the flaws along with indicators of compromise and mitigation guidance to help organizations defend against attacks.
Late on September 29, Microsoft confirmed the vulnerabilities and assigned CVEs — CVE-2022-41040 and CVE-2022-41082 — but has yet to release patches, stating “we are working on an accelerated timeline to release a fix.”
Analysis
CVE-2022-41040 is an authenticated server-side request forgery vulnerability in Microsoft Exchange Servers that was assigned a CVSSv3 score of 6.3 by ZDI. Exploitation of CVE-2022-41040 could allow an attacker to exploit CVE-2022-41082.
CVE-2022-41082 is an authenticated remote code execution vulnerability assigned a CVSSv3 score of 8.8. It is very similar to ProxyShell, a chain of three vulnerabilities in Exchange Server discovered by Orange Tsai in 2021. However, the original ProxyShell attack chain did not require authentication, while CVE-2022-41082 does.
Looks like a neat variant!
— Orange Tsai 🍊 (@orange_8361) September 29, 2022
Proof of concept
The team at GTSC provided details of the post-exploitation activity it observed in attacks exploiting these vulnerabilities, but were careful not to publish a detailed proof-of-concept (PoC). No public PoC has been identified yet.
Vendor response
At the time of publication, Microsoft has confirmed these vulnerabilities, but has not released patches. It has provided mitigation and detection guidance. Organizations deploying Microsoft Exchange on-prem should follow the instructions provided by Microsoft to add a new blocking rule to the internet information services manager. We will provide updated patching and mitigation guidance once it is available.
Identifying affected systems
A list of Tenable plugins to identify these vulnerabilities will appear here as they’re released. This link uses a search filter to ensure that all matching plugin coverage will appear as it is released.
Get more information
Microsoft Blog Post: Customer Guidance for Reported Zero-day Vulnerabilities in Microsoft Exchange Server
GTSC Cybersecurity Technology Company Limited’s Write Up (English Language)
Join Tenable’s Security Response Team on the Tenable Community.
Learn more about Tenable, the first Cyber Exposure platform for holistic management of your modern attack surface.
Get a free 30-day trial of Tenable.io Vulnerability Management.
NCSC: UK Organizations Can Learn from Ukraine’s Impressive Cyber Defenses
NCSC CEO, Lindy Cameron, outlines the UK’s observations of the cyber dimension of the Russia-Ukraine conflict
How analyzing employee behavior can improve your cybersecurity posture
This blog was written by an independent guest blogger.
Despite the ongoing rise in social engineering attacks, the idea that cybersecurity is only about technology manifests within most of our minds. Organizations often neglect human behavior’s impact on their cybersecurity postures. Instead, they spend lavishly on endpoint security tools, threat hunting programs, and building incident response plans.
Admittedly, these security measures are a crucial part of mitigating attacks. However, it is critical to remember the role of your employees in maintaining a robust cybersecurity posture, specifically as cybercriminals have been increasingly targeting and exploiting human behavior.
How employee behavior impacts cybersecurity
A study by IBM highlights that human error is the leading cause of 95% of cybersecurity breaches. Although human errors are by definition unintentional, generally caused by a significant lack of awareness, they can often result in adverse circumstances. In other words, an unsuspecting employee who accidentally falls victim to a phishing attack can expose their organization to significant data breaches, causing major operational, reputational, and financial damage.
One such example is the Sequoia Capital attack, which was successful because an employee fell victim to a phishing attack. The company, known for being Silicon Valley’s oldest notable venture fund, was hacked in February 2021. The attack exposed some of its investors’ personal and financial information to third parties, resulting in significant damage to the company.
Such attacks demonstrate the consequences of inadequate phishing awareness training that every organization must provide to its employees. In this sense, simulated micro-learning can be highly effective at teaching teams to recognize potentially malicious messages. A recent report by Hoxhunt found that after some 50 simulations, people’s “failure rates” plummeted from 14% to 4%. By being exposed to simulated phishing attacks over time, they became far more skilled at recognizing them.
Beyond educational solutions, ensuring that your employees practice proper password hygiene is likewise critical. Although passwords have played a remarkable role in ensuring cyber security, relying only on a single password makes your organization vulnerable since it can be stolen or compromised.
Your users might be ignorant of password security and keep generic passwords such as “12345” susceptible to brute force attacks and hack attacks. These practices are standard within an organization that doesn’t deploy the use of secure password managers and has strict password security guidelines for employees to follow.
How can your employees help maintain cybersecurity?
The significant rise in social engineering attacks and the ongoing occurrence of data breaches due to human error have reinforced the idea that humans are the weakest link in cybersecurity. A workforce that can be distracted or tricked is indeed a liability. However, this narrative is hardly set in stone.
With the below strategies in place, it’s possible to maximize team vigilance and circumvent much of the risk associated with human error.
Integrate the principle of least privilege access
The principle of least privileged access has become a crucial aspect of effective cybersecurity. According to this information security philosophy, every user, application, or process should only have a limited amount of permission necessary to complete a particular task. In other words, it stresses the importance of maintaining a hierarchy within an organization so that every employee only has access to the kinds of sensitive information that they need to do their work.
This method significantly helps strengthen an organization’s cybersecurity posture. It eliminates human error and minimizes the attack surface in case of a hack attempt. Any account that a hacker breaks into will only have limited information.
Help employees deploy proper password security
Maintaining password security is a crucial step every organization needs to strengthen its cybersecurity posture. Since most employees are lax when it comes to maintaining password security, it falls upon organizational leaders and policies to ensure people adhere to best practices.
The most crucial step is that organizations need to start using multi-factor authentication (MFA) methods. As the name implies, this technique often involves using a code that is generated upon request and is received on a personal device or email. This method is secure and reliable, as the only way a threat actor can access the account is by acquiring personal devices or emails. Apart from that, organizations can also use managed single sign-on (SSO) services and secure password management platforms that help keep complex passwords with additional layers of security.
Educate and spread awareness regarding phishing attacks
Phishing attacks are a menace and are not going away anytime soon. Since these attacks work on exploiting human behavior and psychology, many of these attacks are successful. It’s their success rate that is causing phishing attacks to rise significantly. In the last year alone, 83% of organizations claim to have experienced a phishing attack.
Amidst this, organizations must deploy adequate training and awareness regarding phishing attacks. An organization can either do this through seminars or exercise classes or utilize gamified applications and software that help improve training.
Strictly monitor employee behavior
Not every human-enabled attack is caused by an unsuspecting employee. Insider threats are also a common occurrence that every organization needs to remain vigilant of.
It is, therefore, crucial for businesses to strictly monitor their employees’ behavior. It is essential to carefully study each employee and notice if they show any signs of malice against the organization. Moreover, organizations can also hire third-party vendors to conduct human reconnaissance practices that rely on studying individuals’ online and normal daily activities to gain insight into their personalities. Such background checks can help management identify any wolf in sheep’s clothing prowling in their midst.
Implement identity and access management
Identity and access management (IAM) is a set of techniques designed to ensure that only the right person or job role is allowed access to a particular tool, information, or resource. Implementing IAM enables the organization to manage employee apps without having to log in each time as an administrator. Moreover, it also helps manage a range of identities, including people, software, and even hardware.
Proper implementation of IAM not only helps enhance productivity but also improves security. It minimizes the chances of slip-ups such as lost passwords and makes access to sensitive information secure and easy.
Final words
To do their jobs well, employees need access to many types of information and resources. Because humans can be tricked in ways that tech can’t detect, they are also the easiest targets for threat actors.
Since employees play such a crucial role, analyzing and learning about their behavior can help the organization understand the weaknesses and cracks in its cybersecurity posture. This can help leaders to deploy adequate training and tools that enable cybersecurity.
Cybersecurity Snapshot: 6 Things That Matter Right Now
Topics that are top of mind for the week ending Sept. 30 | Are you ready for the quantum threat? | Tips for protecting critical infrastructure from cyberattacks | How to prevent MFA fatigue attacks | “FiGHT” to secure 5G networks | And much more!
1. MFA fatigue in the spotlight
The social engineering attack known as multi-factor authentication (MFA) fatigue is in the spotlight after a cybercriminal used it successfully against Uber.
This is the typical scenario: A hacker steals credentials for an MFA-protected account and tries to annoy the user into approving the login attempt via a barrage of mobile push notifications.
In the Uber case, the hacker reportedly took his efforts to another level by actually contacting the targeted user – a Uber contractor – via Whatsapp, saying he was a Uber IT staffer.
So how can your organization prevent MFA fatigue attacks? Here are some recommendations from MITRE:
Block login attempts from locations that are suspicious or don’t match the location of the MFA smart device.
Restrict the number of MFA request prompts that can be sent to users.
Educate users so that they only approve login requests they initiated and report unsolicited prompts.
For more information:
“MFA fatigue attacks are on the rise: How to defend against them” (CSO)
“High-Profile Hacks Show Effectiveness of MFA Fatigue Attacks” (SecurityWeek)
“Quick Tip: MFA Fatigue Attacks” (Princeton Univ.)
“MFA Fatigue: How Hackers Breached Uber, Microsoft, and Cisco” (Tech.io)
2. U.S. Congress tackles open source software security
Highlighting the U.S. government’s grave concern about the security of the software supply chain, new legislation focused on open source software (OSS) has just been introduced.
The bipartisan “Securing Open Source Software Act of 2022” was sponsored by two senators – Gary Peters (D-MI) and Rob Portman (R-OH) – and comes in response to the shocking discovery in November 2021 of the Log4Shell vulnerability in the ubiquitous Log4j open source component.
The bill, whose sponsors hold leadership positions in the Senate’s Homeland Security and Governmental Affairs Committee, calls for tasking the Cybersecurity and Infrastructure Security Agency (CISA) with:
Creating a risk framework to assess how the federal government uses OSS
Evaluating how this framework could be used by critical infrastructure operators
Hiring experienced OSS developers so the government and the OSS community can collaborate and address future situations like the Log4j vulnerability
Establishing a software security advisory subcommittee
To get more details, you can read:
The full text of the bill
The sponsors’ press release
Commentary and analysis from the Open Source Security Foundation, The Washington Post, NextGov and Axios.
“Apache Log4j Flaw: A Fukushima Moment for the Cybersecurity Industry” (Tenable)
3. Rinse and repeat: Cyberthreats top business concerns
In a survey of 1,200 U.S. business decision makers, cyberthreats topped all business concerns, specifically suffering a system breach and becoming a ransomware victim.
The “2022 Travelers Risk Index,” from the namesake insurance provider, also found gaping holes in respondents’ cyber preparedness, including an absence of:
Endpoint detection and response (64%)
Vendor cyber assessments (59%)
Incident response plans (53%)
Multi-factor authentication (48%)
Significantly, 26% said their company had suffered a data breach or a cyber event, with about half of those incidents happening in the past 12 months. Among these respondents, 71% have been successfully attacked more than once.
Still, a whopping 93% of respondents expressed confidence about their organizations’ ability to prevent or mitigate a cyber incident via the implementation of best practices, although 57% said it’s inevitable they’ll suffer a future cyberattack.
For more information about establishing strong cybersecurity foundations:
NIST Cybersecurity Framework
Cloud Security Alliance Cloud Controls Matrix
Center for Internet Security’s Critical Security Controls
MITRE ATT&CK Framework
National Cyber Security Centre’s Cyber Essentials
4. Quantum computing’s security threat looms
Is quantum computing’s security threat on your risk radar screen yet? The drumbeat of concerns about the technology’s danger for data security and privacy is getting louder. The latest indication comes from a Deloitte online poll of 400-plus professionals who have assessed the benefits and downsides of quantum computers.
These systems don’t exist yet, but when they become available – maybe around 2030 – they’ll be able to decrypt data protected with today’s public-key cryptographic algorithms. While “quantum resistant” algorithms are in the works, cybercrooks are stealing data now to decrypt it later with quantum computers – a scheme known as “harvest now, decrypt later.”
About 50% of survey respondents said they believe their organization is at risk for this type of attack. When asked if their organization has conducted a quantum risk assessment, 45% said they either completed one or plan to conduct one within the next year. Another 16% plan to conduct one in two to five- years and 6% in six to 10 years. About 7% don’t plan to do one.
(Source: “Harvest Now, Decrypt Later Attacks Pose a Security Concern as Organizations Consider Implications of Quantum Computing” report from Deloitte, September 2022)
Recommendations from Deloitte include:
Making a cryptographic inventory
Sharpening data governance
Managing certificates
For more information:
“Quantum apocalypse: Experts warn of ‘store now, decrypt later’ hacks” (Silicon Republic)
“Now Is the Time to Plan for Post-Quantum Cryptography” (DarkReading)
“Four new defenses against quantum codebreakers” (Politico)
“Getting Ready for Post-Quantum Cryptography” (U.S. National Institute of Standards and Technology)
“Preparing for Post-Quantum Cryptography” (U.S. Department of Homeland Security)
5. CISA/NSA: Tips to protect critical infrastructure from cyberattacks
The U.S. government is warning about cyberthreats faced by critical infrastructure facilities via vulnerable IT and operational technology / industrial control systems (OT/ICS) environments.
In an advisory, the government explains why these environments are increasingly at risk to cyberattacks; details how attackers – including advanced persistent threat (APT) groups – target them; and offers mitigation strategies.
The document from the National Security Agency (NSA) and the Cybersecurity and Infrastructure Security Agency (CISA) lists the steps attackers typically follow:
Based on their motivation, such as financial, political or military, they pick a desired effect (disrupting, disabling or destroying) and select a target.
They collect intelligence via multiple avenues, including by breaching the facility’s IT network and by gathering publicly available information.
They then develop techniques and tools to breach the system, often by building a mock-up of the target system.
They gain initial access to the system, typically via remote access points that are often poorly secured.
Once they have access to the targeted OT/ICS system, they’ll disrupt the operator’s ability to monitor and control it; tamper with the system; and more.
“Using these techniques, cyber actors could cause various physical consequences. They could open or close breakers, throttle valves, overfill tanks, set turbines to over-speed, or place plants in unsafe operating conditions,” the document reads.
Recommended mitigation measures include:
Limit exposure of system information, such as by avoiding offering details of its hardware, firmware and software in public forums.
Identify and secure remote access points by creating a full inventory of them and limiting and hardening assets exposed to the internet.
Restrict tools and scripts only to users authorized to perform tasks on the control system.
Conduct regular security audits to validate all connections, review patching procedures, monitor system logs, and more.
Implement a “dynamic network environment” by adding firewalls and routers from different vendors, modifying IP address pools and upgrading hardware and software.
For more information:
“Stop Malicious Cyber Activity Against Connected Operational Technology” (CISA/NSA)
“Control System Defense: Know the Opponent” (CISA/NSA)
“IT/OT Convergence: Now Is the Time to Act” (Tenable)
“CISA, NSA Guidance Tries to Reduce Alternatives for Securing ICS” (NextGov)
“Accidental Convergence: A Guide to Secured IT/OT Operations” (Tenable)
6. A new framework for 5G network security
Attacks against 5G systems will ramp up as deployments of this mobile network technology increase, so securing them properly is critical. To that end, MITRE and the U.S. Defense Department have released a framework called “5G Hierarchy of Threats,” or FiGHT for short, intended for securing 5G ecosystems.
FiGHT contains three types of adversary tactics and techniques: theoretical, proof of concept and observed. It can be used to assess threats, emulate attacks and plan cyber investments.
Modeled after the MITRE ATT&CK framework, FiGHT is aimed primarily at telecom providers, manufacturers and cybersecurity researchers.
For more information about 5G security challenges and best practices:
“5G Implementation Security Risks” (CISA)
“5G Cybersecurity” (NIST)
“Secure 5G” (U.S. National Telecommunications and Information Administration)
“Tackling Security Challenges in 5G Networks” (EU Agency for Cybersecurity – ENISA)
“Security Implications of 5G Technology” (DHS)